b'INFORMATION SECURITY PROGRAM\n\n   National Transportation Safety Board\n\n\n       Report Number: FI-2007-001\n      Date Issued: October 13, 2006\n\x0cU.S. Department of                                               Office of Inspector General\nTransportation                                                   Washington, D.C. 20590\nOffice of the Secretary\nof Transportation\n\n\nOctober 13, 2006\n\nThe Honorable Mark V. Rosenker\nChairman\nNational Transportation Safety Board\n490 L\xe2\x80\x99Enfant Plaza, SW\nWashington, DC 20594\n\nDear Chairman Rosenker:\n\nThis report presents the results of our audit of the National Transportation Safety\nBoard\xe2\x80\x99s (NTSB) information security program, required by the Federal\nInformation Security Management Act (FISMA) of 2002. We have also included\nour FISMA evaluation submission to the Office of Management and Budget\n(OMB) in Enclosure 1.\n\nIn fiscal year (FY) 2006, NTSB made a concerted effort to correct security\nweaknesses identified in prior years, including establishing a new Chief\nInformation Officer office, developing a system inventory and a timetable to\ncomplete system security certification reviews, implementing password lockouts\non computers, and providing information security awareness training to NTSB\nemployees. In addition, NTSB should be commended for having established\ncapabilities to perform network vulnerability scans and monitor networks for\npossible intrusions.\n\nHowever, continued management attention is needed in several areas:\n(1) assessing systems risk and assigning a priority to reviewing and testing\nsecurity protection of systems with a higher-risk impact on NTSB operations,\n(2) enforcing and following through on the newly established network security\nrequirements, and (3) identifying systems containing sensitive personally\nidentifiable information for proper protection. As a result, NTSB\xe2\x80\x99s information\nsecurity program in our opinion still has a significant deficiency that should be\nreported as a material internal control weakness on the annual Federal Managers\xe2\x80\x99\nFinancial Integrity Act (FMFIA) report to OMB and Congress.\n\nWe are making a series of recommendations starting on page 11 to help NTSB\nstrengthen its information security program. On September 28, 2006, NTSB\n\x0c                                                                              2\n\n\nprovided us with its response to a draft of this report. Although NTSB did not\nspecify whether it concurs with each recommendation, NTSB appears to have\nsome disagreements. We have included NTSB\xe2\x80\x99s response in its entirety in\nEnclosure 4. We added our analysis of the response to each report section as\nappropriate.\n\nWe appreciate the courtesies and cooperation of NTSB representatives during this\naudit. If you have any questions concerning this report, please call me at (202)\n366-6767; David Dobbs, Acting Principal Assistant Inspector General for\nAuditing and Evaluation, at (202) 366-0500; or Rebecca C. Leng, Assistant\nInspector General for Financial and Information Technology Audits, at (202)\n366-1496.\n\nSincerely,\n\n\n\n\nTodd J. Zinser\nActing Inspector General\n\nEnclosures (4)\n\x0c                                                                                                               3\n\n\n\nINTRODUCTION\nTo support its investigative operations nationwide, NTSB has implemented an\ninformation technology (IT) infrastructure that includes communications\nnetworks, computer laboratories, and software application systems at its\nHeadquarters, 10 regional offices, and Academy. This infrastructure enables\nNTSB\xe2\x80\x99s investigators to gather accident evidence, analyze information from voice\nand data recorders, assist victims\xe2\x80\x99 family members, and provide accident\ninvestigation results to the public.\n\nThis is the third year that independent agencies such as NTSB have been required\nto report to the Congress on their information security programs. 1 The\nDepartment of Transportation\xe2\x80\x99s Office of Inspector General (OIG) performed\naudits of NTSB\xe2\x80\x99s information security program for FY 2004 and FY 2005. 2 Last\nyear, we found that NTSB had made limited progress in enhancing its information\nsecurity program, and many network vulnerabilities exposed NTSB computers to\nunauthorized access from both inside and outside the Agency. As a result, we\nsuggested to NTSB that its information security program should be reported to\nOMB and Congress as a material weakness under the Federal Managers\xe2\x80\x99 Financial\nIntegrity Act of 1982 and recommended corrective actions, which NTSB\nmanagement agreed to do.\n\nIn FY 2006, NTSB continued to correct information security weaknesses;\nhowever, it experienced leadership turnovers in the Chief Information Officer\n(CIO) office. As a result, the NTSB Deputy Managing Director assumed the role\nof the Acting CIO in May 2006 and provided critical leadership during this\ntransition period. Our objectives for this year\xe2\x80\x99s review were to evaluate (1)\nwhether system risks were properly assessed and security weaknesses were\nreported for correction, (2) the effectiveness of enhanced network security\noperations, and (3) the progress made by NTSB in protecting sensitive agency\ninformation.\n\nWe conducted this performance audit in accordance with Generally Accepted\nGovernment Auditing Standards as prescribed by the Comptroller General of the\nUnited States, and performed such tests as we considered necessary to detect\nfraud, waste, and abuse. Our contribution to NTSB\xe2\x80\x99s annual FISMA report to\nOMB appears as Enclosure 1. Our scope and methodology are described in more\ndetail in Enclosure 2.\n\n1\n    FISMA requires the 24 large Federal agencies to report annually to the Congress on their information security\n    programs. Two years ago the Office of Management and Budget (OMB) expanded FISMA reporting requirements\n    to all departments and agencies subject to the Paperwork Reduction Act of 1995, including NTSB.\n2\n    OIG Report Number FI-2006-001, \xe2\x80\x9cNTSB Information Security Program,\xe2\x80\x9d October 7, 2005, and OIG Report\n    Number FI-2004-097, \xe2\x80\x9cNTSB Information Security Program,\xe2\x80\x9d September 28, 2004. OIG reports can be found at\n    www.oig.dot.gov.\n\x0c                                                                                                                       4\n\n\nRESULTS\n\nSystem Impact Assessments Need To Be More Thorough To Protect\nAgainst Disruption\nNTSB\xe2\x80\x99s information security has improved from last year, but its data and\ninformation systems remain at risk. NTSB did not differentiate its systems by risk\nlevel. The key reason for this is that NTSB did not fully implement policies that\nincluded all requirements of the National Institute of Standards and Technology\n(NIST). As a result, NTSB has not prioritized the certification and accreditation\n(C&A)3 reviews of its information systems.\n\nImpact Levels of NTSB Systems Need More Review\nAs part of FISMA, agencies are required to use Federal Information Processing\nStandards (FIPS) Publication 199 (\xe2\x80\x9cStandards for Security Categorization of\nFederal Information and Information Systems,\xe2\x80\x9d February 2004) to categorize the\nrisk impact levels of each of their information systems. FIPS 199 establishes three\npotential levels of impact (low, moderate, and high) relevant to securing Federal\ninformation and information systems to adequately ensure the confidentiality,\nintegrity, and availability of the data. FIPS 199 and 200 4 stress the importance of\n(1) prioritizing levels of risk and (2) meeting minimum security requirements\ncommensurate with the risk level.\n\nLast year we recommended that NTSB assign a high priority to completing the\nC&A reviews of its high-risk (most critical) systems. NTSB hired a contractor to\nassist it in the risk assessment and has since concluded that it has no high-risk\nsystems. All six NTSB systems 5 are deemed to have a moderate level of risk for\nall three security components\xe2\x80\x94confidentiality, integrity, and availability.\n\nHowever, NTSB only assessed the risk impact level for three systems\xe2\x80\x94General\nSupport, Accident Investigation, and Financial Management. It did not perform\nspecific risk assessment on the other three systems (Telephone, Physical Security,\nand Laboratory Environment). NTSB decided that the three systems not assessed\nwould also merit a moderate risk rating because they used to be sub-components\nof the three assessed systems.\n\n3\n    According to NIST Special Publication 800\xe2\x80\x9337, \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal\n    Information Systems\xe2\x80\x9d (May 2004), certification is the comprehensive assessment of the management, operational,\n    and technical security controls in an information system, made in support of security accreditation, to determine the\n    extent to which the controls are implanted correctly. Accreditation is the official management decision given by a\n    senior agency official to authorize operations of an information system and to explicitly accept the risk to agency\n    operations.\n4\n    FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006.\n5\n    The six systems are the General Support System, Telephone System, Physical Security System, Laboratory\n    Environment System, Accident Investigation System, and Financial Management System.\n\x0c                                                                                    5\n\n\nWe are concerned that under this assessment scheme, all systems will receive the\nsame level of security protection, even though some are clearly more sensitive\nthan others. For example, the Laboratory Environment System, used to analyze\naircraft black-box recordings, should receive a higher level of risk assessment and\nsecurity protection than other systems, such as the Telephone Switch System.\nNTSB\xe2\x80\x99s laboratory environment contains highly sensitive audio recordings that,\nby law, are not to be disclosed to the general public. Further, justification for the\nmoderate-level categorizations in NTSB\xe2\x80\x99s risk assessments was lacking. For\nexample, NTSB did not use vulnerability and threat information to support the\nsecurity categorizations that it identified for each system, as FIPS 199 requires.\n\nIn addition, NTSB\xe2\x80\x99s interpretation of NIST guidance for high-risk impact systems\nneeds to be reevaluated. According to FIPS 199, the impact on an organization\nshould be categorized high if \xe2\x80\x9cthe loss of confidentiality, integrity, or availability\ncould be expected to have a severe or catastrophic adverse effect on organizational\noperations, organizational assets, or individuals.\xe2\x80\x9d\n\nNTSB management informed us that unlike air traffic control systems, none of its\nsystems could result in loss of human lives and so are not high-risk impact\nsystems. We confirmed with NIST that systems with a severe impact on the\nAgency\xe2\x80\x99s mission capability and organizational assets, including but not limited to\nloss of human lives, should be categorized as high-risk impact systems for security\nplanning and testing.\n\nNTSB\xe2\x80\x99s response to our draft report indicated that it disagreed that vulnerability\nand threat information were not incorporated into its security categorizations. Our\nanalysis of NTSB\xe2\x80\x99s three risk assessments did not find any vulnerability and threat\ndata. According to NIST 800-37, the methods used to assess risk include\nconsidering vulnerabilities and threats in the information system. These\nvulnerabilities are identified by evaluating the effectiveness of current or proposed\nsecurity controls applied to a system. Vulnerabilities resulting from the absence of\nthese controls provide the basis for determining the agency-level risk posed by the\nsystems operation. This provides a starting point for NTSB\xe2\x80\x99s overall risk\nmanagement process.\n\nThe risk assessments also did not show the overall level of risk for each control by\napplying the NIST-recommended formula to define risk: RISK = Likelihood x\nMagnitude of Impact. The assessment lacked the following information:\nlikelihood of occurrence, threat-source identification, and risk level matrix to\nconclude their systems impact level. This analysis is needed for agency officials to\nproperly assess risk and categorize their systems in accordance with FIPS 199,\nwhich states that security categories are to be used in conjunction with\nvulnerability and threat information in assessing the risk to an organization.\n\x0c                                                                                                               6\n\n\n\nUnless NTSB performs more thorough risk assessments, it may be\nunderestimating the impact these systems could have on its operations and mission\nif they were to be compromised. Further, it cannot be assured that NTSB has\nimplemented the most appropriate set of controls to reduce risk to an acceptable\nlevel.\n\nPlanned Systems Security Reviews Need To Be Better Prioritized\nOMB requires Federal agencies to establish a certification and accreditation\nprocess for formally authorizing systems to operate. Security certification and\naccreditation provides Agency officials with the necessary information to\nunderstand the risks and other factors pertaining to their systems that could\nadversely affect mission goals.\n\nLast year, we recommended that NTSB establish a timetable to complete security\ncertification and accreditation reviews for all of its systems. While NTSB has\nestablished such a timetable, the majority of the systems security (certification and\naccreditation) reviews are scheduled to be completed in early FY 2008 (see\nTable 1). Accordingly, NTSB will not have any system certification and\naccreditation reviews completed in time for next year\xe2\x80\x99s FISMA review, and its\nsystems could remain vulnerable for another year. NTSB should accelerate its\ncertification and accreditation review process based on the result of reassessing its\nsystems\xe2\x80\x99 impact levels.\n\n                Table 1. NTSB Certification and Accreditation\n                          Target Completion Dates\n                                                                 Certification and Accreditation\n      NTSB System                                                      Target Completion Dates\n      General Support System                                                            9/30/2007\n      Telephone System                                                                 10/31/2007\n      Physical Security System                                                         10/31/2007\n      Laboratory Environment System                                                    12/31/2007\n      Accident Investigation System                                                    12/31/2007\n      Financial Management System                                               Completed 7/2004\n                                                                         (by the service provider)a\n  a\n      This system is operated under contract by the Department of the Interior, which owns it; however, NTSB\n      retains ownership of the data it contains.\n\n\n\nFurther, in the timetable NTSB provided, the process for completing the C&A\nreview for the General Support System was broken down into its individual steps,\nsuch as conducting a risk assessment, creating a security plan, and conducting\ncontingency planning. For the remaining systems, however, projected completion\n\x0c                                                                                7\n\n\ndates for each of these three component steps were not recorded in the plan of\naction and milestones (POA&M). Establishing more specific milestone dates\nwould help ensure that all required steps are identified and accomplished for\nprompt completion of its certification and accreditation reviews.\n\nNTSB\xe2\x80\x99s Network Security Has Been Enhanced, but More Is Needed\nDuring FY 2006, NTSB improved its network security operations by\nimplementing stronger encryption protection for passwords on its network routers,\ndeploying an Agencywide computer lockout policy, and issuing a series of internal\noperations bulletins. In addition, NTSB should be commended for successfully\ndeveloping network vulnerability scanning and intrusion-detection capabilities.\nHowever, NTSB has much to do to further improve its network security\nprotection.\n\nPassword Security Requirements Need To Be Enforced\nOn June 30, 2006, NTSB issued specific operations bulletins to address the\nFISMA requirement for minimally acceptable system configuration settings,\nincluding password security settings for more than 400 network users logging onto\nthe NTSB network. However, we found that the actual configuration of NTSB\nnetwork computers\xe2\x80\x94specifically, password settings\xe2\x80\x94did not comply with\nNTSB\xe2\x80\x99s security requirements.\n\nFor example, the NTSB policy required users to have a minimum password length\nof eight characters with a mixture of letters, numbers, and special symbols. While\nthe minimum password length was configured as eight characters, the requirement\nfor using a mixture of letters, numbers, and special symbols was not enforced. As\na result, users could set their passwords as \xe2\x80\x9c12345678\xe2\x80\x9d or \xe2\x80\x9cabcdefgh,\xe2\x80\x9d which\ncould be easily guessed or cracked by hackers to gain unauthorized access to\nNTSB information systems.\n\nResponding to a draft of the report, NTSB\xe2\x80\x99s Acting CIO stated that \xe2\x80\x9cNTSB\nOperations Bulletin \xe2\x80\xa6 recommends \xe2\x80\xa6 complex passwords.\xe2\x80\xa6 Our written policy\ndoes not require complex passwords; however, our security policies do enforce\nstrong password requirements\xe2\x80\xa6\xe2\x80\x9d On the basis of this enforcement, the Acting\nCIO asked that we delete this issue from our draft report.\n\nHowever, as of August 23, 2006, the network configuration setting for \xe2\x80\x9cPassword\nmust meet complexity requirements\xe2\x80\x9d was disabled. Clearly, then, password\ncomplexity requirements are not being enforced. Enforcing this basic password\n\x0c                                                                                                                      8\n\n\nsecurity practice is included in NIST guidance 6 and is commonly practiced in the\nFederal Government and in industry. We recommend, therefore, that NTSB make\nthe use of complex passwords a clear requirement, and that NTSB enable its\npassword complexity setting (i.e., passwords not meeting the complexity standard\nwould be rejected).\n\nNTSB Has Not Completed Work Necessary To Correct Previously\nIdentified Vulnerabilities\nDuring FY 2006, NTSB established auditing, monitoring, and reporting policies,\nwhich include periodic vulnerability assessments of its IT infrastructure and\nmitigation of identified weaknesses. In addition, Agency officials were trained in\nusing vulnerability scanning software and started periodically assessing their\nnetwork in December 2005. However, critical vulnerabilities were not adequately\nand promptly remediated.\n\nFor example, NTSB\xe2\x80\x99s scanning results from May 2006 identified a total of 17,006\nvulnerabilities (827 high, 549 medium, and 15,630 low). 7 Our review of NTSB\xe2\x80\x99s\nscanning results found some of the same vulnerabilities that we identified a year\nago.\n\n\xe2\x80\xa2 Eleven of the high vulnerabilities were password-related, four of which were\n  found on the same computers that we had identified during our FY 2005\n  FISMA review. 8 These vulnerabilities could result in unauthorized access to\n  or modification of business information stored in NTSB computers.\n\n\xe2\x80\xa2 Seventeen of the high vulnerabilities are related to buffer overflow, 9 11 of\n  which were found on the same computers that we had identified during last\n  year\xe2\x80\x99s FISMA review. This type of vulnerability could allow remote attackers\n  to take full control of the computer, who could then modify data files or\n  capture all of a user\xe2\x80\x99s activities displayed on the screen.\n\nOMB requires agencies to develop a POA&M to track, assess, and prioritize\ncorrective actions taken to address security weaknesses identified. None of the\nnetwork weaknesses identified during NTSB\xe2\x80\x99s network scanning were recorded in\n\n6\n    NIST SP 800-68: Passwords Must Meet Complexity Requirements. This setting makes it more difficult to guess or\n    crack passwords. Enabling this setting implements complexity requirements including not having the user account\n    name in the password and using a mixture of character types, including upper case and lower case letters, digits, and\n    special characters such as punctuation marks.\n7\n    High-risk vulnerabilities may provide an attacker with immediate access into a computer system, such as allowing\n    execution of remote commands. Medium- and low-risk vulnerabilities may provide an attacker with useful\n    information, such as password files, that they can then use to compromise a computer system.\n8\n    OIG Report Number FI-2006-001, \xe2\x80\x9cNTSB Information Security Program,\xe2\x80\x9d October 7, 2005.\n9\n    Buffer overflow happens when more data are put into a buffer or memory holding area than it can handle; this can\n    result in a system crash or the overwriting of the data into the adjacent buffers and the hijacking of control of the\n    program.\n\x0c                                                                                  9\n\n\nthe POA&M. As a result, NTSB management may not be effectively assigning\nresources toward mitigating the critical vulnerabilities identified.\n\nWhile NTSB\xe2\x80\x99s response stated that aggressive actions had taken place in\naddressing previously identified vulnerabilities, no documentary evidence was\nprovided to support this assertion. As stated above, our review of NTSB\xe2\x80\x99s\nscanning results from May 2006 showed some of these same vulnerabilities on the\nsame computers that we reported on last year. NTSB also claimed that many of\nthe vulnerabilities were false-positives associated with network printers or similar\nequipment. However, we confirmed in our FY 2005 FISMA review that not all of\nthe vulnerabilities cited were false-positives.\n\nWe agree with NTSB that vulnerabilities, such as buffer overflow, could be\naddressed using an automated patch management system like the one deployed by\nNTSB. However, a patch to correct the buffer overflow vulnerability referenced\nabove has been available from the vendor for over 2 years.\n\n\nNTSB Has Established Intrusion-Detection Capabilities but Must Follow Up\nand Investigate Potential Cyber Security Incidents\nResponding to last year\xe2\x80\x99s OIG recommendations, NTSB developed policies and\nprocedures that established the Agency\xe2\x80\x99s cyber security incident monitoring and\nresponse capabilities. These policies and procedures provided basic criteria for\nincident classification, timelines for internal and external reporting to United\nStates Computer Emergency Readiness Team (US-CERT), and responsibilities of\nappropriate officials.\n\nFurther, in February 2006, NTSB reported having successfully implemented its\nintrusion-detection system (IDS) for monitoring and detecting potential cyber\nsecurity incidents. However, security events recorded by IDS were not adequately\ninvestigated. Our review of NTSB\xe2\x80\x99s IDS log of activity between March and\nAugust 2006 uncovered signs of potential hacking activities taking place in April\nand July. These activities originated from two separate foreign countries and\nattempted to compromise the main NTSB web site. Yet NTSB management was\nnot aware of these events and did not investigate them or report them to US\xe2\x80\x93\nCERT. According to NTSB policy, these suspicious and unusual activities should\nhave been investigated. Overall, NTSB did not provide sufficient evidence to\nshow that the IDS log was properly reviewed or that potential incidents were\ninvestigated. Without implementing proper procedures to review and investigate\nits IDS event log, NTSB has no assurance that security incidents will be identified\nand preventive action against cyber attacks taken.\n\x0c                                                                                                                        10\n\n\nNTSB responded that it had provided evidence to support that IDS logs were\nperiodically reviewed. However, the evidence does not support this assertion.\nNTSB showed us a printout of the computer screen, containing the names and\nsize-and-date data of five log files. This does not demonstrate that the files\nthemselves were actually reviewed.\n\nNTSB\xe2\x80\x99s current IDS also has certain limitations, such as not being comprehensive\nenough to detect intrusions from inside the organization. One option for NTSB to\nconsider is to acquire the IDS service from a \xe2\x80\x9cCenter of Excellence\xe2\x80\x9d 10 when it\nbecomes available in FY 2008.\n\nNTSB Must Establish Policies and Procedures for Privacy Protection\nWhile NTSB has developed policies to protect portable computers and data from\nloss and virus infections and a process to report such losses to both agency\nmanagement and to US-CERT, much work remains to meet the requirements of\nNIST Special Publication 800-53, \xe2\x80\x9cRecommended Security Controls for Federal\nInformation Systems\xe2\x80\x9d (February 2005).\n\nFor example, NTSB\xe2\x80\x99s docket system (part of the Accident Investigation System)\ncontains investigators\xe2\x80\x99 information on aircraft accidents and may contain sensitive\npersonal information on aircraft victims, mechanics who worked on the aircraft\nand approved its airworthiness, or the medical condition of the pilots at the time of\nthe accident. To adequately secure these data and meet the requirements of the\nE-Government Act of 2002, NTSB needs to develop a detailed privacy policy and\nprocedures. This policy should enable the Agency to perform a methodical\nassessment to identify systems processing or storing sensitive personal identifiable\ninformation; incorporate privacy analysis into the C&A process; determine if these\nsystems require completion of a Privacy Impact Analysis to meet the requirements\nof the E-Government Act of 2002; and implement sufficient controls\xe2\x80\x94such as\nencryption\xe2\x80\x94to prevent loss, misuse, or unauthorized access to these data. Such\nunauthorized access and misuse may put NTSB at risk of compromising people\xe2\x80\x99s\nprivacy.\n\nIn view of the security weaknesses that still require correction, NTSB\xe2\x80\x99s\ninformation security program will need the continued support and attention of its\nsenior management. Until NTSB corrects these problems, it will not have\nassurance that the level of protection being provided to its Agency assets is\nadequate. In FY 2007, it will be critical for NTSB to make significant progress in\n10\n     OMB is currently asking agencies to submit proposals to either become a service provider (Center of Excellence) for\n     other agencies or migrate to another agency, from which they would acquire expert security services. Incident-\n     response capabilities are part of this initiative, scheduled to be available in FY 2008. According to NIST, monitoring\n     threats through IDS is an essential part of incident response; therefore, we assume that service providers for incident-\n     response monitoring would include an IDS service. In our opinion, NTSB should become a client of one of these\n     other agencies, when these services become available, to enhance its IDS capability.\n\x0c                                                                                   11\n\n\nthese areas to move forward in implementing an effective information security\nprogram. As a result of this year\xe2\x80\x99s assessment, we are making a series of\nrecommendations to help NTSB strengthen its information security program.\n\nRECOMMENDATIONS\nTo strengthen NTSB\xe2\x80\x99s information security program, we recommend that the\nNational Transportation Safety Board:\n\n1. Improve the quality of the certification and accreditation process by:\n\n   (a) ensuring that NTSB reassess risk levels for each of its systems by\n       December 31, 2006, and\n\n   (b) prioritizing certification and accreditation reviews to ensure that all systems\n       deemed to have a high risk of impact on NTSB operations are certified and\n       accredited by June 30, 2007.\n\n2. Improve NTSB\xe2\x80\x99s network security by:\n\n   (a) updating its password policies to enforce the use of a mixture of letters,\n       numbers, and special symbols to construct user passwords to prevent easy\n       guessing or cracking;\n\n   (b) configuring network password settings, in accordance with NTSB security\n       policies, by October 31, 2006;\n\n   (c) categorizing and incorporating identified vulnerabilities into Agency\n       POA&Ms by December 31, 2006;\n\n   (d) taking immediate action to correct highly critical vulnerabilities by\n       December 31, 2006;\n\n   (e) establishing (in the short term) procedures to periodically review and\n       analyze its IDS event log and report computer security incidents to proper\n       authorities in a timely manner; and\n\n   (f) acquiring (in the long term) the intrusion-detection monitoring service from\n       a center of excellence when such services become available in FY 2008.\n\n3. Take immediate action to protect systems containing sensitive personal\n   identifiable information from unauthorized access and loss by:\n\x0c                                                                                  12\n\n\n   (a) developing a privacy policy, including methodologies and criteria for\n       identifying systems that contain personally identifiable information;\n\n   (b) incorporating proper security requirements and testing as part of the\n       certification and accreditation process, along with performing a privacy\n       impact assessment for these systems; and\n\n   (c) implementing controls, including security software, for encryption\n       protection of personally identifiable information on laptop computers as\n       soon as possible.\n\nAGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL\nANALYSIS\nA draft of this report was provided to NTSB for comments on September 27,\n2006.    The Deputy Managing Director and Acting CIO responded on\nSeptember 28, 2006. The response did not specify whether NTSB concurred with\nour recommendations. We include the response in its entirety in this report (see\nEnclosure 4).\n\nThe response focused on describing NTSB\xe2\x80\x99s current processes relating to\nassessing systems risk, enforcing password security, remediating vulnerabilities,\nand reviewing intrusion-detection logs. We reviewed these processes during our\naudit and identified deficiencies, as described in our report. NTSB\xe2\x80\x99s response did\nnot add any new information for us to evaluate.\n\nOverall, the response indicated that NTSB is satisfied that its actions to strengthen\nsecurity are adequate. However, this is the third year we have reviewed NTSB\xe2\x80\x99s\ninformation security program, and although NTSB continues to make progress, its\ninformation security program continues to have significant deficiencies. For\nexample, NTSB has gone 3 years without completing any system certification and\naccreditation review, and is not planning to complete any before September 30,\n2007. In its response, NTSB also suggested that we remove a critical finding from\nour report concerning not using a mixture of alpha, numeric, and special characters\nto construct passwords. Enforcing this basic password security practice is\nincluded in NIST guidance and is commonly practiced in the Federal Government\nand in industry. In our view, this response illustrates that NTSB is still not taking\naggressive action to implement an effective information security program.\n\nACTION REQUIRED\nWe are requesting that you provide a written clarification of your response to our\nrecommended actions within 30 days of this report\xe2\x80\x99s issuance. If you concur with\n\x0c                                                                               13\n\n\nour recommendations, please indicate the specific action taken or planned for each\nrecommendation and the target date for completion. If you do not concur, please\nprovide your rationale. You may provide alternative courses of action that you\nbelieve would resolve the issues presented in this report.\n\x0c                                                                                                                                                                                                          Enclosure 1\n                                                                                                                                                                                                          Page 1 of 4\n\n\nOFFICE OF INSPECTOR GENERAL CONTRIBUTION TO FISMA\nREPORT\n\n                                                                                        Section C: Inspector General. Questions 1, 2, 3, 4, and 5.\n\n                                                                                                               Agency Name:\n\n\n\n\n                                                                                                              Question 1 and 2\n\n\n\n1. As required in FISMA, the IG shall evaluate a representative subset of systems, including information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an\nagency. By FIPS 199 risk impact level (high, moderate, low, or not categorized) and by bureau, identify the number of systems reviewed in this evaluation for each classification below (a., b., and c.).\n\n\n\n            To meet the requirement for conducting a NIST Special Publication 800-26 review, agencies can:\n            1) Continue to use NIST Special Publication 800-26, or,\n            2) Conduct a self-assessment against the controls found in NIST Special Publication 800-53\n\n\n            Agencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency, therefore, self reporting by contractors does not meet the\n            requirements of law. Self reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n\n\n\n\n2. For each part of this question, identify actual performance over the past fiscal year by risk impact level and bureau, in the format provided below. From the representative subset of systems evaluated, identify the\nnumber of systems which have completed the following: have a current certification and accreditation , a contingency plan tested within the past year, and security controls tested within the past year.\n\n\n\n\n                                                                                                  Question 1                                                                                Question 2\n                                                                        a.                           b.                             c.                              a.                         b.                         c.\n                                                                  Agency Systems             Contractor Systems           Total Number of Systems         Number of systems         Number of systems for Number of systems for which\n                                                                                                                                                        certified and accredited    which security controls contingency plans have been\n                                                                                                                                                                                     have been tested and     tested in accordance with\n                                                                                                                                                                                   evaluated in the last year    policy and guidance\n\n\n\n\n                                    FIPS 199 Risk Impact         Total        Number          Total        Number                        Number          Total       Percent of      Total        Percent of\nBureau Name                                Level                Number       Reviewed        Number       Reviewed       Total Number   Reviewed        Number         Total        Number          Total       Total Number Percent of Total\nNational Transportation Safety        High                                                                                          0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\nBoard                                 Moderate                           5               0            1              0              6               0            1    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\n                                      Low                                                                                           0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             5               0            1              0              6               0            1        16.7%              0     #DIV/0!                   0     #DIV/0!\nBureau                                High                                                                                          0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Moderate                                                                                      0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Low                                                                                           0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             0               0            0              0              0               0            0    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\nBureau                                High                                                                                          0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Moderate                                                                                      0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Low                                                                                           0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             0               0            0              0              0               0            0    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\nBureau                                High                                                                                          0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Moderate                                                                                      0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Low                                                                                           0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             0               0            0              0              0               0            0    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\nBureau                                High                                                                                          0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Moderate                                                                                      0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Low                                                                                           0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             0               0            0              0              0               0            0    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\nBureau                                High                                                                                          0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Moderate                                                                                      0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Low                                                                                           0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             0               0            0              0              0               0            0    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\nBureau                                High                                                                                          0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Moderate                                                                                      0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Low                                                                                           0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             0               0            0              0              0               0            0    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\nBureau                                High                                                                                          0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Moderate                                                                                      0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Low                                                                                           0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                      Not Categorized                                                                               0               0                 #DIV/0!                      #DIV/0!                         #DIV/0!\n                                   Sub-total                             0               0            0              0              0               0            0    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\nAgency Totals                          High                              0               0            0              0              0               0            0    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\n                                      Moderate                           5               0            1              0              6               0            1    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\n                                      Low                                0               0            0              0              0               0            0    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\n                                      Not Categorized                    0               0            0              0              0               0            0    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\n                                   Total                                 5               0            1              0              6               0            1    #DIV/0!                0     #DIV/0!                   0     #DIV/0!\n\x0c                                                                                                                                                                                                         Enclosure 1\n                                                                                                                                                                                                         Page 2 of 4\n\n\n\n\n                                                                                                                    Question 3\n\nIn the format below, evaluate the agency\xe2\x80\x99s oversight of contractor systems, and agency system inventory.\n                                    The agency performs oversight and evaluation to ensure information systems used or operated by a contractor of the\n                                    agency or other organization on behalf of the agency meet the requirements of FISMA, OMB policy and NIST guidelines,\n                                    national security policy, and agency policy. Self-reporting of NIST Special Publication 800-26 and/or NIST 800-53\n                                    requirements by a contractor or other organization is not sufficient, however, self-reporting by another Federal agency may\n                                    be sufficient.\n\n                 3.a.               Response Categories:                                                                                                           - Almost Always, for example, approximately 96-100% of the time\n                                         - Rarely, for example, approximately 0-50% of the time\n                                         - Sometimes, for example, approximately 51-70% of the time\n                                         - Frequently, for example, approximately 71-80% of the time\n                                         - Mostly, for example, approximately 81-95% of the time\n                                         - Almost Always, for example, approximately 96-100% of the time\n\n\n                                    The agency has developed an inventory of major information systems (including major national security systems) operated\n                                    by or under the control of such agency, including an identification of the interfaces between each such system and all other\n                                    systems or networks, including those not operated by or under the control of the agency.\n\n                                    Response Categories:\n                3.b.1.                   - Approximately 0-50% complete                                                                                                 - Approximately 96-100% complete\n                                         - Approximately 51-70% complete\n                                         - Approximately 71-80% complete\n                                         - Approximately 81-95% complete\n                                         - Approximately 96-100% complete\n\n\n\n                                                                                                                                                                                           Missing Agency Systems:\n                                    If the Agency IG does not evaluate the Agency\'s inventory as 96-100% complete, please list the systems that are missing\n                3.b.2.\n                                    from the inventory.\n                                                                                                                                                                                          Missing Contractor Systems:\n\n\n                 3.c.               The OIG generally agrees with the CIO on the number of agency owned systems.                                                                                      Yes\n\n\n                                    The OIG generally agrees with the CIO on the number of information systems\n                 3.d.                                                                                                                                                                                 Yes\n                                    used or operated by a contractor of the agency or other organization on behalf of the agency.\n\n\n                 3.e.               The agency inventory is maintained and updated at least annually.                                                                                                 Yes\n\n\n                 3.f.               The agency has completed system e-authentication risk assessments.                                                                                                 no\n\n                                                                                                                    Question 4\n\n\nThrough this question, and in the format provided below, assess whether the agency has developed, implemented, and is managing an agency wide plan of action and milestone (POA&M) process. Evaluate the degree to which the\nfollowing statements reflect the status in your agency by choosing from the responses provided in the drop down menu. If appropriate or necessary, include comments in the area provided below.\n\nFor items 4a.-4.f, the response categories are as follows:\n\n      -   Rarely, for example, approximately 0-50% of the time\n      -   Sometimes, for example, approximately 51-70% of the time\n      -   Frequently, for example, approximately 71-80% of the time\n      -   Mostly, for example, approximately 81-95% of the time\n      -   Almost Always, for example, approximately 96-100% of the time\n\n\n\n                                    The POA&M is an agency wide process, incorporating all known IT security weaknesses associated with information\n                 4.a.                                                                                                                                              - Frequently, for example, approximately 71-80% of the time\n                                    systems used or operated by the agency or by a contractor of the agency or other organization on behalf of the agency.\n\n\n                                    When an IT security weakness is identified, program officials (including CIOs, if they own or operate a system) develop,\n                 4.b.                                                                                                                                              - Frequently, for example, approximately 71-80% of the time\n                                    implement, and manage POA&Ms for their system(s).\n\n                                    Program officials, including contractors, report to the CIO on a regular basis (at least quarterly) on their remediation\n                 4.c.                                                                                                                                              - Almost Always, for example, approximately 96-100% of the time\n                                    progress.\n\n                 4.d.               CIO centrally tracks, maintains, and reviews POA&M activities on at least a quarterly basis.                                   - Almost Always, for example, approximately 96-100% of the time\n\n                 4.e.               OIG findings are incorporated into the POA&M process.                                                                          - Rarely, for example, approximately 0-50% of the time"\n\n\n                                    POA&M process prioritizes IT security weaknesses to help ensure significant IT security weaknesses are addressed in a\n                 4.f.                                                                                                                                              - Sometimes, for example, approximately 51-70% of the time\n                                    timely manner and receive appropriate resources\n\nComments: NTSB\'s POA&M process did not contain all of our recommendations made last year nor NTSB\'s scanning results\n\n\n                                                                                                                    Question 5\n\n\nOIG Assessment of the Certification and Accreditation Process. OMB is requesting IGs to provide a qualitative assessment of the agency\xe2\x80\x99s certification and accreditation process, including adherence to existing policy, guidance, and\nstandards. Agencies shall follow NIST Special Publication 800-37, \xe2\x80\x9cGuide for the Security Certification and Accreditation of Federal Information Systems\xe2\x80\x9d (May, 2004) for certification and accreditation work initiated after May, 2004. This\nincludes use of the FIPS 199 (February, 2004), \xe2\x80\x9cStandards for Security Categorization of Federal Information and Information Systems,\xe2\x80\x9d to determine an impact level, as well as associated NIST documents used as guidance for completing\nrisk assessments and security plans .\n\n\n                                    Assess the overall quality of the Department\'s certification and accreditation process.\n\n                                    Response Categories:\n                                         - Excellent\n                                         - Good                                                                                                                    - Poor\n                                         - Satisfactory\n                                         - Poor\n                                         - Failing\n\n\nComments: NTSB has improved its information security program by establishing a systems inventory, establishing an interim POA&M process, and performing risk assessments on three systems. However, NTSB has\nnot completed any certification and accreditation reviews for its systems.\n\x0c                                                                                                                                                               Enclosure 1\n                                                                                                                                                               Page 3 of 4\n\n\n\n\n                                                                   Section B: Inspector General. Question 6, 7, 8, and 9.\n\n                                                                                        Agency Name:\n\n\n                                                                                         Question 6\n\n                        Is there an agency wide security configuration policy?\n       6.a.                                                                                                                                              Yes\n                        Yes or No.\n\n                        Comments: Although NTSB\'s security configuration standards are incorporated within several NTSB operation bulletins including the IT security,\n                        identification and authentication, and access control policies, these bulletins did not explicitly address the individual products listed in 6.b.\n\n\n                        Configuration guides are available for the products listed below. Identify which software is addressed in the agency wide security configuration policy.\n       6.b.             Indicate whether or not any agency systems run the software. In addition, approximate the extent of implementation of the security configuration policy on\n                        the systems running the software.\n\n\n\n\n                                                                                                                            Approximate the extent of implementation of the security\n                                                                                                                            configuration policy on the systems running the software.\n\n                                                                                                                            Response choices include:\n                                                                                                                            - Rarely, or, on approximately 0-50% of the\n                                                                                                                              systems running this software\n           Product                                                                                                          - Sometimes, or on approximately 51-70% of\n                                                                                                                              the systems running this software\n                                                                                                                            - Frequently, or on approximately 71-80% of\n                                                                  Addressed in agencywide\n                                                                                                                              the systems running this software\n                                                                          policy?              Do any agency systems        - Mostly, or on approximately 81-95% of the\n                                                                                                 run this software?           systems running this software\n                                                                                                                            - Almost Always, or on approximately 96-100% of the\n                                                                             Yes, No,                                       systems running this software\n                                                                              or N/A.                  Yes or No.\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the\n              Windows XP Professional\n                                                                                 Yes                      Yes               systems running this software\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the\n              Windows NT\n                                                                                 Yes                      Yes               systems running this software\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the\n              Windows 2000 Professional\n                                                                                 Yes                      Yes               systems running this software\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the\n              Windows 2000 Server\n                                                                                 Yes                      Yes               systems running this software\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the\n              Windows 2003 Server\n                                                                                 Yes                      Yes               systems running this software\n              Solaris\n                                                                                 N/A                      No\n                                                                                                                                  - Rarely, or, on approximately 0-50% of the systems\n              HP-UX\n                                                                                 Yes                      Yes               running this software\n                                                                                                                                  - Rarely, or, on approximately 0-50% of the systems\n              Linux\n                                                                                 Yes                      Yes               running this software\n                                                                                                                                  - Almost Always, or on approximately 96-100% of the\n              Cisco Router IOS\n                                                                                 Yes                      Yes               systems running this software\n              Oracle\n                                                                                 N/A                      No\n                                                                                                                                  - Rarely, or, on approximately 0-50% of the systems\n              Other. Specify: SQL Server                                         Yes                      Yes               running this software\nComments: According to NTSB officials, the Agency has 10 legacy systems running on Unix and Linux that are in the process of being phased out due to recent\nmigration to Windows environment. Some of these computer systems, located at the NTSB laboratory, are used to analyze information from voice and data\nrecorders as part of accident investigations.\n\n                                                                                         Question 7\n\n\nIndicate whether or not the following policies and procedures are in place at your agency. If appropriate or necessary, include comments in the area provided below.\n\n                        The agency follows documented policies and procedures for identifying and reporting\n       7.a.             incidents internally.                                                                                                            No\n                        Yes or No.\n                        The agency follows documented policies and procedures for external reporting to law\n       7.b.             enforcement authorities.                                                                                                         Yes\n                        Yes or No.\n                        The agency follows defined procedures for reporting to the United States Computer\n       7.c.             Emergency Readiness Team (US-CERT). http://www.us-cert.gov                                                                       Yes\n                        Yes or No.\nComments: During the FY 2006, NTSB reported 1 incident of a stolen laptop that potentially contained Personally Identifiable Information. However, there was\nno evidence that other potential security events recorded by the Agency intrusion-detection-system were properly investigated.\n\x0c                                                                                                                            Enclosure 1\n                                                                                                                            Page 4 of 4\n\n\n\n\n                                                             Question 8\n\n    Has the agency ensured security training and awareness of all employees, including\n    contractors and those employees with significant IT security responsibilities?\n\n    Response Choices include:\n    - Rarely, or, approximately 0-50% of employees have sufficient training\n                                                                                           - Almost Always, or approximately 96-100% of employees have\n8    - Sometimes, or approximately 51-70% of employees have sufficient training           sufficient training\n     - Frequently, or approximately 71-80% of employees have sufficient training\n     - Mostly, or approximately 81-95% of employees have sufficient training\n     - Almost Always, or approximately 96-100% of employees have sufficient training\n\n\n\n\n                                                             Question 9\n\n\n\n    Does the agency explain policies regarding peer-to-peer file sharing in IT security\n9   awareness training, ethics training, or any other agency wide training?                                           Yes\n    Yes or No.\n\x0c                                                                   Enclosure 2\n\n\n\nSCOPE AND METHODOLOGY\nTo fulfill the requirements under FISMA, we reviewed the NTSB information\nsecurity program. We also contributed to NTSB\xe2\x80\x99s FISMA report by answering\nquestions specified by OMB.\n\nWe assessed NTSB\xe2\x80\x99s progress in correcting weaknesses identified in last year\xe2\x80\x99s\nFISMA review and interviewed key management officials in the Office of the CIO\nto gather information on the implementation status of NTSB\xe2\x80\x99s information\nsecurity program. We also reviewed key documentation related to NTSB\xe2\x80\x99s\ninformation security program, such as systems inventory, risk assessments, plans\nof action and milestones, network scanning results, and policies and procedures\nrelating to personally identifiable information.      Based on the collected\ninformation, we provided answers to OMB\xe2\x80\x99s questions on FISMA reporting.\n\nWe used the audit methodologies recommended by the Government\nAccountability Office and guidelines issued by other Government authorities such\nas NIST.\n\nWe performed our work between August and September 2006 at NTSB\nHeadquarters in Washington, DC. This performance audit was conducted in\naccordance with Generally Accepted Government Auditing Standards prescribed\nby the Comptroller General of the United States and included such tests as we\nconsidered necessary to detect fraud, waste, or abuse.\n\x0c                                                     Enclosure 3\n\n\n\nMAJOR CONTRIBUTORS TO THIS REPORT\n\n\nName                        Title\n\nEdward Densmore             Program Director\n\nHenry Lee                   Project Manager\n\nDr. Ping Sun                Project Manager\n\nMichael P. Fruitman         Communications Adviser\n\nJim Mallow                  Senior Auditor\n\nAaron Nguyen                Computer Scientist\n\nAtul Darooka                IT Specialist\n\nVasily Gerasimov            IT Specialist\n\nKathleen Huycke             Writer-Editor\n\x0c                                                                                                            Enclosure 4\n                                                                                                            Page 1 of 4\n                                         National Transportation Safety Board\n                                                            Washington, D.C. 20594\n\n\n\nOffice of the Managing Director\n\n\n\n\n        September 2 8 , 2006\n\n         Rebecca Leng\n         Assistant Inspector General\n          for Financial and Information Technology Audits\n         Department of Transportation Inspector General\n         400 Seventh St. S.W., Room 9210\n         Washington, D.C. 20590\n\n                 Thank you for giving me the opportunity to comment on your draft report on the NTSB\xe2\x80\x99s\n         information security program, scheduled for release later this month. We appreciate your\n         recognition of the concerted effort that the NTSB has made to improve its information security\n         program and to correct the deficiencies that were identified in prior years. This letter constitutes\n         my comments concerning your draft findings, and I request that this letter be made part of your\n         final report.\n\n         Risk Assessment\n\n                Your draft report raises concerns about our application of Federal Information Processing\n         Standard (FIPS) 199. Specifically, your draft report states that the NTSB (completed risk\n         assessments for only 3 of its 6 systems, and you note that all of our systems have been\n         categorized as having the same impact level. The NTSB agrees that careful application of FIPS\n         199 is essential for accurately categorizing risk and mission impact level; however, the NTSB\n         disagrees that vulnerability and threat information were not incorporated iin our security\n         categorizations. Our staff provided the audit team with an overview of the methods used to\n         complete our FIPS 199 assessment, and we provided documentation that carefully explains how\n         FIPS 199 practices were adhered in our assessment.\n\n                As we explained to your team, our risk assessment was conducted on a census, a 100%\n         sample, of information types that make up our information systems. At the time of our risk\n         assessment, the NTSB inventory listed 3 systems, including our General Support System (GSS).\n         Our careful, high water mark analysis of these information types has led us to categorize each of\n         our six systems as having a moderate risk level. Due to NTSB organizational changes and\n         changes in managerial and financial oversight, and following suggestions from your office, 3\n         new systems were disaggregated from our GSS. As we certify and accredit (C&,A)each of our\n         systems, we will produce a system security plan (SSP) for each system that will detail the\n         information types that make up the respective information system. Because one or more of the\n         SSPs may include fewer information types than were included in the FIPS 199 rislk assessment, it\n         is conceivable-though unlikely-that one or more of our systems could be downgraded to a low\n\x0c                                                                                                     Enclosure 4\n                                                                                                     Page 2 of 4\n\n\nimpact system. However, because no new information types will be listed in any system\xe2\x80\x99s SSP,\nno system will be upgraded to a high impact system. Therefore, it is likely that all of our\nsystems will remain categorized at the moderate impact level.\n\n         That said, we recognize your concern that because our systems are all catlegorized at the\nsame impact level, we could be faced with difficult decisions concerning which systems to C&A\nfirst, or how to provide appropriate protection for our various systems. We wanit to assure you\nthat this is not the case. Our Program of Action and Milestones (POAM) sets forth a timetable\nfor completion of C&A activities for each of our systems. This timetable represents our priority\norder for conducting our C&A responsibilities. Our GSS SSP will house the vast majority of\ncommon security controls for all of our systems, and therefore remains our highest priority for\nC&A.\n\n        We have confirmed with the National Institute of Standards and Technology (NIST) that\nthere is no inherent expectation that agencies will assign different impact levels to) their systems.\nRather, agencies are required to comply with FIPS 199 definitions and precepts in determining\nsecurity categorization levels. The NTSB takes its FIPS 199 responsibilities very seriously.\nConsequently, we are concerned that your draft oversimplifies of our view of this process. FIPS\n199 defines high impact systems as those for which the \xe2\x80\x9c. ..loss of confidentiality, integrity, or\navailability could be expected to have a severe or catastrophic adverse effect on organizational\noperations, organizational assets, or individuals\xe2\x80\x9d (p. 3). The standard further states that a severe\nor catastrophic effect is one that might: \xe2\x80\x9c(i) cause a severe degradation in or lloss of mission\ncapability to an extent and duration that the organization is not able to perform one or more of its\nprimary functions; (ii) result in major damage to organization assets; (iii) result in major\nfinancial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or\nserious life threatening injuries\xe2\x80\x9d (p. 3). The NTSB operates no such systems.\n\nPassword Security Requirements\n\n       The NTSB agrees with the best practice of using complex passwords and will incorporate\nit wherever possible in the appropriate SSPs. In fact, NTSB Operations Bulletin (210-GEN-003,\nParagraph 7(E) recommends constructing complex passwords by using a combination of letters,\nnumbers, and special symbols. Our written policy does not require complex passwords;\nhowever, our security policies do enforce strong password requirements for those operating\nsystems that support such enforcement. The NTSB suggests that this section be deleted from\nyour report.\n\nPreviously Identified Vulnerabilities\n\n        The NTSB agrees that accurate vulnerability analysis and corrective action are critical\ncomponents of an effective information security program, and we provided evidence to your\naudit team that we took aggressive action in this area. We provided documentation of our\nscanning program and procedures including meeting schedules, vulnerability reports, staff\nactions, and subsequent reviews detailing vulnerability remediation efforts. Tlhe information\nprovided demonstrates that immediately after conducting our initial vulnerability scans, the\nNTSB began prioritizing the most critical vulnerabilities of password compliance issues and\n\x0c                                                                                                     Enclosure 4\n                                                                                                     Page 3 of 4\n\n\npatch management. CIO employees were directed to address over 92 computers that we\nidentified as having password related vulnerabilities. Corrections were made and verified\nthrough subsequent vulnerability scans; however false vulnerability reports were noted and\nverified (e.g., one such machine reporting a false positive for administrative user names and\npasswords is CVR-CD). Other false positives have been noted as network printers or similar\nappliances whose operating systems have been customized by the manufacturer and are unable to\nbe further modified. Because these appliances have limited CD burning or printing capability\nand are protected behind firewalls, the risks have been mitigated.\n\n        As noted in NIST Special Publication (SP) 800-42, Guideline on Network Security\nTesting, vulnerability testing may result in many false positive results. Therefore, proper\nidentification of false positives, and analysis of mitigating controls is essential to this effort. We\nexplained to audit staff, and we provided documentation to show that the vulinerability scan\nreports include many false vulnerability reports. For example, some network printers are\nerroneously reported by the software as Cisco routers, and some computers are errloneously listed\nas having password vulnerabilities that are not actually present on those computers. Although\nyour team did not request it, a demonstration of the false positives identified ini prior year IG\nscanning results as well as ongoing NTSB vulnerability scanning efforts could quickly resolve\nthis issue.\n\n       Vulnerabilities such as buffer overflow have been addressed at the NTSB by using an\nautomated patch management system that deploys security patches to NTSB desktop computers\nautomatically upon their receipt. An overview of this system was provided to the IG staff as well\nas evidence of procurement activities that are currently underway to further augment this\nsystem. Automated patch management is an industry- and NIST-recommended (see NIST SP\n800-42) best practice for addressing new security vulnerabilities, which are discovered every\nday. This approach enables the NTSB correct or mitigate vulnerabilities such as buffer overflow\nas they arise.\n\nIntrusion Detection Capabilities\n\n        We appreciate your recognition that the NTSB implemented its intrusion detection\ncapabilities in February 2006. However, Operations Bulletin CIO-GEN-005 Incident Response\nand Handling Policy and CIO-GEN-009 Auditing, Monitoring, and Reporting Policy were issued\nin June 30, 2006. As recommended for medium impact systems by NIST SP 800-53, the NTSB\nconducted periodic reviews of our intrusion detection logs. We provided evidence of this to your\naudit team.\n\nPrivacy\n\n        Your draft report notes that our docket system may contain privacy infomation , and it\nnotes that the NTSB needs to develop a detailed privacy policy and procedures to ensure these\ndata are properly protected. Although we do not disagree that more work remains, we note our\nDocket Procedures Manual contains our \xe2\x80\x9cRedaction User\xe2\x80\x99s Guide\xe2\x80\x9d that was published in March\n2006. The Guide carefully explains what types of private information must be protected from\n\x0c                                                                                                Enclosure 4\n                                                                                                Page 4 of 4\n\n\npublic release, and it provides detailed procedures for preparing docket materials for public\nrelease in a manner that ensures that private information will remain private.\n\n       Thank you again for the opportunity to provide these comments. We look forward to the\n\n\n\n\n                                          a&/\nissuance of your final report.\n\n\n\n\n                                          David L. Mayer, Ph.D.\n                                          Deputy Managing Director & Acting CIO\n\x0c'